Page 1 of 2
The financial industry is gearing up for what might become the largest cybercrime event of 2013.
A figure in the Russian criminal underworld is in the process of hiring 100 botmasters to participate in "Project Blitzkrieg," which is believed to be targeting 30 financial institutions with a coordinated attack aimed at draining consumer bank accounts.
The recruitment efforts became publicly known in September, and while some industry insiders have speculated that the initiative might be a hoax or a law enforcement sting operation, McAfee Security has issued a report demonstrating that the groundwork is largely prepared and that beta testing has already taken place, using smaller numbers of victims in the U.S. and Romania.
The exploit will leverage a Trojan known as Gozi Prinimalka, which includes a series of customized variants of the four-year-old Gozi Trojan. The malware is optimized for the theft of banking passwords, and a coordinated attack is expected to occur sometime in the spring. According to researchers at McAfee, hundreds of such infections are currently known, and that number is believed to be the tip of the iceberg.
McAfee has already documented two different campaigns. The first pilot program involved 300 to 500 victims in the United States, and the second beta test involved approximately 120 individual systems and Romania.
"These are just the ones we know about," said McAfee threat researcher, Ryan Sherstobitoff. "The actual number is probably far higher than that. There's also a third [beta test] that is not included in our report because we don't have enough information yet, but we think that one is in the thousands."
The alleged architect of the campaign goes by the screen name, "vorVzakone," which translates from Russian as "thief in law." He has reportedly made available to the underworld series of screenshots depicting a control panel from which the attack will be coordinated. It is believed that a number of tactics will be used to emulate the victims' PC identifiers, and appeared to be a legitimate request from the user for the transfer of funds to mule accounts. Examples include a SOCKS proxy connection that is expected to hijack the IP address of each victim.
"The system is not only designed to extract money from victims' accounts, it also uses a form of DDoS," said Sherstobitoff. "This separate attack is not aimed at the banks' websites. It is rather a form of Skype phone flooding which is intended to bog down the customer service lines to prevent any sort of response to fraud claims, and also make the banks unable to reach their customers for verification while the money is being stolen. The phone lines are intended to be completely consumed while the operation is underway."